[working] root OLED C9 (possibly others too) with newest Firmware (05.30.10 - 9/28/2022)

[cowl0ver]

After trying basically everything on the web to downgrade & root my tv I finally found a working solution here (just translate with ur browser):

Original Guide
Guide translated by pbatard
(You will still need the Original Guide to get the .ipk files)

As we now know, the Guide should work with 2019/2020 and even older LG TV's.
Thanks to @pbatard for translation and clarify.

[JIEgOKOJI]

it works!

[felixmxr]

i think it works.
step 9 of the guide (Go to the Homebrew channel, the application will prompt you to reboot, press restart. That's all, the root is received;) didnt prompt me for a reboot.
i have ssh and telnet access.

[aresbrutus]

I can't seem to download telnet via homebrew. Is there anyway you can provide me with the IPK?

[Rogerthis]

Thanks for that guide, it's working for me.
Will this continue to work after the Dev timeout runs out?
Is an LG update block needed after that, to stop it from breaking?

[pbatard]

[UPDATED 2022.12.01 to add the local touch /var/log/crashd/"x;telnetd -l sh" alternate method]

Confirmed that it worked for me on an OLED CX with firmware 04.40.20.

Here is a rewriting of the guide linked by @cowl0ver above, with some slight clarifications for items I had trouble with as well as an alternative local method to run the "crashd exploit":

1. Get developer mode by registering an account here.
   It is possible that you may have be forced to use a mail using a .com domain for registration to work (e.g. gmail.com). You will have to accept a bunch of agreements... which you won't read.

2. Install the ThinQ App on a mobile device, and log onto it using your developer account. This is needed because LG stupidly forces you to go through this step to accept extra licenses, before you can log on to developer account on the TV. Why they can't just produce the additional licenses on the TV, or with the initial registration, and make you accept them there is beyond me!

3. On the TV (for CX models), go to All Settings → General → Additional Settings and set Quick Start+ to disabled. This is needed to ensure that the TV goes through a complete reboot when requested.

4. Install the Developer Mode App from the LG Content Store on the TV and validate that you can log in to your
   developer account (if you didn't do step 2, you may find that it won't let you, so please do that).
   Take a note of the IP address and passphrase and, on the left handside, enable Dev Mode Status and Key Server as shown in the picture below, as Dev Manager won't be able to connect to the TV otherwise:

   

5. Install the latest Dev Manager on a PC and launch it.
   Click the Add Device button in Options and fill in the fields Host (with the IP address and Passphrase you got from the TV).

6. In Dev Manager, install the Homebrew Channel 0.5.1 application (that should be listed in the main window) onto the TV.

7. • METHOD 1 (Recommended, as this is the one from the official #rootmytv Discord channel):
     • Still in Dev Manager, click on "terminal"
     • Type the following command then press enter:
       touch /var/log/crashd/"x;telnetd -l sh"
   • METHOD 2 (If the above doesn't work. This requires running external code from a remote server, which is always a potential security risk):
     • On the TV, launch Homebrew Channel (which you will now see in the LG App bar).
     • Click the "Settings" gear icon and select Add repository. Enter https://repo.webosapp.club as a new repository.
     • Go back to the main Homebrew Channel, you should now see a Run telnet/root.telnet application in the list of apps proposed
     • Run root.telnet from the repository.

Either of the above will run the "crashd exploit" and start a telnet server with root access on the TV.

8. Connect to the TV via telnet (port 23) using the same IP address as the one you use previously and enter the following commands exactly (Don't worry if you see library warnings being reported when running the commands, the commands are still being executed fine):

unset LD_PRELOAD
/media/developer/apps/usr/palm/services/org.webosbrew.hbchannel.service/elevate-service
mkdir -p /var/lib/webosbrew/init.d
cp /media/developer/apps/usr/palm/services/org.webosbrew.hbchannel.service/startup.sh /var/lib/webosbrew/startup.sh
rm -rf /var/luna/preferences/devmode_enabled && mkdir -p /var/luna/preferences/devmode_enabled

9. IMPORTANT: On the TV, delete the Developer Mode app. You must do this or else, as @Merri1 commented below, ssh will not work.

10. In telnet type reboot to reboot the TV.

11. Once the TV has rebooted, go to Homebrew channel again, and click the settings gear icon. You should see a greyed out Root status ok indicating that Homebrew channel has root access. Now you can enable the SSH Server by toggling its switch. Once you have done that, click the System reboot paragraph of text (bottom left) to reboot the TV.

12. From now on, an ssh server with root access will be enabled every time you start the TV. 😄
    You can SSH into your TV using the username root and password alpine on port 22 (default SSH port).

13. After this, you can turn on Quick Start+ again if you wish and set other Homebrew channel settings as needed.

[cambiass]

Very Good [pbatard]!

10. Connect to the TV via telnet (port 23)

Alternative? (ssh?)
I'm using a mac with monterey and telnet is not working..

[AdamDempsey]

I installed telnet via homebrew and my tv is now rooted :)

Very Good [pbatard]!

10. Connect to the TV via telnet (port 23)

Alternative? (ssh?)

I'm using a mac with monterey and telnet is not working..

[DedaDev]

Super nice, finally managed to install homebrew on my old LG :)

[cambiass]

11. On the TV, delete the Developer Mode app.
if I do this then it is removed homebrew channel after reboot!

p.s.
in my case, to connect with telnet, I don't have to use any port. But simply write: telnet 192.168.1.124 (no 22, no 23 port)
and everything works (except the problem in step 11)

[coolfizzin]

11. On the TV, delete the Developer Mode app. if I do this then it is removed homebrew channel after reboot!

p.s. in my case, to connect with telnet, I don't have to use any port. But simply write: telnet 192.168.1.124 (no 22, no 23 port) and everything works (except the problem in step 11)

The telnet port 23 is the default, so the telnet client is likely guessing the correct port when you connect. It wouldn't work without the correct port. It's just filling it in for you.

If deleting the Developer Mode all removes homebrew, then I believe the root isn't working correctly. Perhaps before you delete it you should go into the Homebrew app settings and check the box for disabling updates. I don't know if that will change anything, but it is something that I myself did before deleting Developer Mode.

[malloy139]

Worked on my C9 with firmware 05.30.11. Did not have to do step 2. Btw for Telnet on Windows you can use Putty.

[Michae11s]

Works on my 48A1 that was on latest firmware 03.33.11 webos 6.3.1

[apedance]

Working on
OLED55C97LA
Firmware: 05.30.11

[Bankysmithdev]

Hi, great tutorial but on start up I get a failsafe mode - a crash has occured duuring previous startup.

This happens everytime, am I missing something?

Cheers

[de-sascha]

Working on
OLED65BX9LB
WebOS TV Version: 05.4.1-903
Firmware: 4.40.18

[b1r0c]

Confirmed working on nano79655pc

[cowl0ver]

Hi, great tutorial but on start up I get a failsafe mode - a crash has occured duuring previous startup.

This happens everytime, am I missing something?

Cheers

same happens to me aswell!
just activated quick start+ to avoid the error and the following 2nd boot. I will try to debug the error if I have some time... most likely not before christmas ;)

[apedance]

Another working device
OLED65C11LB
Firmware: 03.33.11
This is a 2021 model I guess. Listed on 29.04.2021

[EMP83]

Today I rooted my C2 using crashed method on firmware 03..21.30. I have root acces, but unfortunately ssh server is not working, only telnet. I rested my tv several times, but each time same problem. Does anyone else have the same problem?

[Merri1]

Today I rooted my C2 using crashed method on firmware 03..21.30. I have root acces, but unfortunately ssh server is not working, only telnet. I rested my tv several times, but each time same problem. Does anyone else have the same problem?

@EMP83 I had the same problem on my first attempt. Did you remove the developer mode app at step 9? I missed that the first time around and after repeating the guide with that step, SSH and root access are working fine.

[jkp1304]

Works perfect on my OLED77C26LD
webOS TV-version
7.1.0-43 (mullet-maria)
Softwareversion 03.10.43

I think that is the version I'm still on now. Will have to check when I'm back from work. I have the above from a pic. on my phone :)

[OlsonTC]

Working without issues with method no. 1
SM8600PLA
F/w 5.30.15
WeboOS TV 4.9.7-12

[MeatyPB]

Didnt work,

LG CX
OS 5.4.1-15
FW 40.40.20

Upon reboot the hbchannel root is greyed out says "unelevated". cant seem to re run the sequence.
Neither terminal or telnet allow commands to be run.
"Permission Denied"

"An error occured during installation: Unable to exec luna-send-pub: Error:
connect ECONNREFUSED 127.0.0.1:9922"

Any help would be great, thanks.

[esbenab]

Works using method one.
tv
65UQ91006LA
UQ91006LA
webos
7.2.0-43 (mullet-marine)

[Mazda77]

Firmware version on uq9100?

[LolekLiam]

i cannot connect to my tv and i did everything exactly heres what i got:

also i am connected to wireless and not wired because we do not have wired network.

[bobslaede]

Worked for me.
75QNED826QB
Firmware 3.11.51
After the deed was done, I upgraded the firmware to 3.20.## and it still worked - still root.

[throwaway96]

Also, never turn tv off quickstart ever again or you will lose root eventually I learned the hard way.

That's not necessary. When done correctly, this is persistent across reboots, even with Quick Start+ disabled.

[tjayz]

Also, never turn tv off quickstart ever again or you will lose root eventually I learned the hard way.

That's not necessary. When done correctly, this is persistent across reboots, even with Quick Start+ disabled.

This is unfortunately fact on CX firmware 4.40.70. And if you follow the guide exactly you will never achieve root period, so not sure what done correctly even means. The jail files need tampering with for success on some of the latest firmwares.

[throwaway96]

The guide in this thread is out of date. See here for instructions that work as of a few hours ago. I have gotten persistent root using the crashd exploit on every major version of webOS from 4.0 to 6. (Haven't had a chance to personally do it on webOS 7 yet, but it does work.)

The need to remove jail_app.conf is not related to the firmware version. That file is downloaded from LG when logging into the dev mode app, and they updated it last month.

[tjayz]

Not deleting them is probably what leads to losing root then, I was merely changing ownership. Thanks for pointing out the official, always current guide. Will use that next time 🙏

Edit: @throwaway96I had time to read your guide through. I see why it failed and added all the additional steps I missed and ssh. Thanks!

[samuele2723]

hello guys, i'm trying to following the guide on my LG C9 with firmware 5.4.2-25 but when i try launch the telnet command the terminal seems looping infinite waiting

[m33x]

You are using the wrong quotes. The ones from Microsoft Word in italic are incorrect (your first opening quotation mark.)

Use straight quotes, as you can find them in a regular text editor like Notepad.

[ivpiteriv]

Same problem than @komax74 & @anno171986 with piccap and hyperion.
Edit: Didn't see the ssh password in item number 12

@komax74 @anno171986 could you fix the issue with piccap and hyperion?

[komax74]

no I abandoned the project and didn't try anymore, there was no way to root the TV

[ivpiteriv]

no I abandoned the project and didn't try anymore, there was no way to root the TV

Sorry to hear. I'm about to purchase a 65 C2 but don't want to miss out on a dynamic background light (hence root is mandatory).
Did you switch over to another TV/brand?

[mkaflowski]

Does METHOD 1 work on the just released v3.30.16 firmware (WebOS 7.3.0-16) on LG C2?

touch /var/log/crashd/"x;telnetd -l sh"
touch: touch /var/log/crashd/x;telnetd -l sh: No such file or directory

Looks like they patched it. 😢

Files to change in main directory:
https://digilops-my.sharepoint.com/:u:/g/personal/kaflowski_digilops_onmicrosoft_com/EXjJ5kzk6tFMkP4plT2T08IB8U7p686hJGX7cb5psBkGPw?e=kgx5Qe
After that restart.
It could be added to manual to method 1.

[Informatic]

Use the latest guide already linked multiple times here: https://gist.github.com/throwaway96/e811b0f7cc2a705a5a476a8dfa45e09f

[simfinite]

Is anyone with latest firmware having problems overwriting jail_app.conf as described in latest update here: https://gist.github.com/throwaway96/e811b0f7cc2a705a5a476a8dfa45e09f
The suggested command echo lol>/media/developer/jail_app.conf only gives -sh: can't create /media/developer/jail_app.conf: Permission denied

File permissions are looking like this
-rw-r--r-- 1 6454 5000 1631 Mar 10 18:59 jail_app.conf.sig

I cannot seem to delete or overwrite the file. Wish I wouldn't have applied the latest update before coming here...

[simfinite]

UPDATE: Tried again today after reading somewhere that turning off and unplugging the TV for ~ 2 minutes has helped in certain cases. It did help in my case with file permissions magically changed after the procedure, I could successfully overwrite contents of jail_app.conf
-rwxrwxrwx 1 6454 5000 13218 Mar 10 18:59 jail_app.conf

[mkaflowski]

unset LD_PRELOAD
/media/developer/apps/usr/palm/services/org.webosbrew.hbchannel.service/elevate-service
mkdir -p /var/lib/webosbrew/init.d
cp /media/developer/apps/usr/palm/services/org.webosbrew.hbchannel.service/startup.sh /var/lib/webosbrew/startup.sh
rm -rf /var/luna/preferences/devmode_enabled && mkdir -p /var/luna/preferences/devmode_enabled

Uploading empty jail_app.conf did a job for me. After that command worked. Method 2 made "dev" apps gone after restart.

[zetsubou-io]

Working on LG CS.
I had to unplug the TV for 10-15 seconds every time the instructions said to reboot, even with QuickStart+ disabled.

Model: OLED65CSPA
webOS: 7.1.0-63 (mullet-maria)

[GCoffland]

For those not able to connect with telnet after step 8, this walkthrough helped me:
https://gist.github.com/throwaway96/e811b0f7cc2a705a5a476a8dfa45e09f
It has a step that says enter the following command into the Dev Manager terminal:
echo lol>/media/developer/jail_app.conf
This solved the unable to connect with telnet for me

[tomi064]

Working on LG C2
7.2.0-44

only had to send the telnet command twice

[poleax01]

Woking on lg 5555sk8500pla, thanks

[PrivotSponge]

Works on LGOLEDC83C21LA with WebOS 7.3.0 and firmware 3.33.16. Fully rooted!

[Crayolable]

I've published a (currently incomplete) guide to modifying the EEPROM. I also have a gist on the crashd vulnerability which includes general webOS/root information.

Thank you for the guide! I was able to root my LG C1, with the latest firmware. 😊

[RedRubble]

Worked on WebOS 7.3.1-39 version 3.33.65 via Method 1. Could not delete .sh file. Had to run
curl -L -o /tmp/jailpatch.sh https://raw.githubusercontent.com/throwaway96/install-jail-conf/main/jailpatch.sh && sh /tmp/jailpatch.sh as per throwaway96's guide.
Had to repeat a couple times, until it worked.

[SyCoREAPER]

Warning, [03.36.50] (C1) is not rootable (if you lost root). Telnet cannot be established and the workaround of replacing the two jail app files doesn't work either as the system has them hard locked.

Update at your own risk.

[PrivotSponge]

I did several updates on lg oled83 c2 til 33.33.85.
Tv is still rooted and everything works.

[throwaway96]

Warning, [03.36.50] (C1) is not rootable (if you lost root). Telnet cannot be established and the workaround of replacing the two jail app files doesn't work either as the system has them hard locked.

This is not true. You likely didn't properly reboot. (... assuming you followed the up-to-date guide. As previously noted multiple times, the information in this thread has been outdated for about a year now.)

[andrew-kennedy]

This worked for me for a C9 on 5.30.40!

[wisukind]

Works for me with:

Model: OLED55B8PLA
WebOS: 4.4.2-11

Thanks a lot guys !

[marekrbk]

working on 05.50.15 SK8100PLA

[ipeacocks]

UPD. Everything is OK. Official doc and few reboots helps me https://gist.github.com/throwaway96/e811b0f7cc2a705a5a476a8dfa45e09f
Neither first nor second variant works for me

LG OLED55B9PLA
Firmware: 05.40.10
WebOS: 4.10.0

[ShalokShalom]

I am on 05.40.45 on a E9.
Is there any chance?

WebOS 4.10.0-17

[ShalokShalom]

2. Install the ThinQ App on a mobile device, and log onto it using your developer account. This is needed because LG stupidly forces you to go through this step to accept extra licenses, before you can log on to developer account on the TV. Why they can't just produce the additional licenses on the TV, or with the initial registration, and make you accept them there is beyond me!

This is not the case anymore. You may wanna update that part, @pbatard

3. On the TV (for CX models), go to All Settings → General → Additional Settings and set Quick Start+ to disabled. This is needed to ensure that the TV goes through a complete reboot when requested.

This is also the case for the 9 series, as my E9 shows that setting as well.
Do we know exactly, which models have that setting, so we can precise this guide?

Also: If this is a method to root current models and firmware, can we update the homepage as well? I currently says, that my TV is not supported and that it cannot be rooted.

It could instead link to this page?